Back to plugin

Security audit

OpenClaw X Plugin

Security checks across malware telemetry and agentic risk

Overview

This X/Twitter plugin requests powerful account access, but its files consistently describe and implement that purpose with local OAuth/session storage and approval-gated publishing.

Install only if you intend to connect your own X developer app and allow this plugin to read account data and publish approved drafts. Keep the session file in a private path, treat it like a password because it may contain refresh tokens, and require human review before using the approve and publish tools.

VirusTotal

61/61 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/auth.js:83
Evidence
headers.Authorization = [REDACTED](params.config.clientId, clientCredential);